Post on 13-Feb-2018
TRACING EMAILS, EMAIL ACCOUNTS, AND IP ADDRESSES
SPECIAL AGENT SHEILA GORRIZMiami Electronic Crimes Task Force
United States Secret Service
IP (INTERNET PROTOCOL) ADDRESS
• Numeric string assigned by an ISP (INTERNET
SERVICE PROVIDER) to a customer during an online session
• Example of an IP Address: 265.89.650.43
IP ADDRESS, continued
**IMPORTANT**
• An IP Address does not by itself identify a particular computer on the Internet
• An IP address does show that a computer, using the assigned IP Address, accessed the Internet
What service was utilized to commit the crime or suspect activity?
Internet Service (IS)or
Internet Service Provider (ISP)
INTERNET SERVICE (IS)
• Company that provides their customer with free services (chat, email, search engine) on the Internet
• Registration is free and the identity of the user is rarely, and usually never, verified
• Examples: Yahoo, Hotmail, Google, Kazaa, Bearshare
• A customer does not pay for the IS’s services• IS does not provide a customer with Internet access
INTERNET SERVICE PROVIDER (ISP)
• The company provides a customer with Internet access• The company provides the customer with additional
services (chat, search engines, email)• Examples: AOL, Earthlink, Bellsouth, Comcast
• A customer PAYS the ISP for Internet access!
Types of IP Addresses provided by the ISP.
DYNAMICor
STATIC
DIAL-UP SERVICE
• DIAL-UP is accessing the Internet by making a telephone call (dialing) to the ISP
• Customer will usually be assigned a different IP address for each Internet session; this is a dynamic IP address
• Example:
– On 08/05/07 at 6:50 pm, the customer dials into the ISP for Internet access and is assigned IP address 657.12.412.6
– On 08/06/07 at 7:12 am, the customer dials into the ISP for Internet access and is assigned IP address 658.34.567.1
DIAL-UP, continued
• Ensure you request the ANI (AUTOMATIC NUMBER INFORMATION) from the ISP for the target IP address
• ANI is the phone number the customer used to access the ISP for internet service
• When you subpoena an IP Address, request the ISP provide you with the physical location of the DSL / Cable Modem
The Criminal Mind and Feeling Safe
YAHOO CHAT: Trade Credit Card #’s
LIMEWIRE:Collect child porn
ISP Internet
Suspects accessing the Internet through ISP feel safe committing the crimes using programs and sites such as Limewire, Yahoo, and Photo Sharing Websites
IS REGISTRATION
• The suspect will usually provide a false name and other personal information
• However, a suspect will sometimes provide some helpful information
• Example:– A Suspect signs up for a Hotmail email
account. He provides a fake name and date of birth, but does provide accurate information about his town and state of residence.
IS REGISTRATION, continued
• An IS usually requests an alternate email address from a user during registration.
• When a customer registers for service, changes their password, attempts to change a password, and accesses the services of the IS (for example, an email account), the IS records the time and IP address of the customer.
ISP REGISTRATION
• Customer must provide a credit card, name, phone number, billing address, and other personal information.
• For a DSL / Cable Modem, the customer must provide the physical location for access to the Internet.
*Please Note*
• U.S. law does not require ISPs or SPs to retain any electronic data; what is the law on data retention in your country?
• Some providers purge their records every day, while some maintain a database for years
• The quicker you initiate the investigation, the better chance you have of recovering the information.
IP ADDRESS: EMAIL
• Email headers contain important information
– Originating (sender’s) IP address– Date stamp– May even contain the sender’s full name
EMAIL HEADERS: HOW TO VIEW
EXAMPLE HEADER
From - Mon Mar 19 08:17:17 2001 Return-Path: <wHargrove@newarkpd.state.de.us> Received: from otma1.otm.state.de.us (votma1.state.de.us [167.21.1.115]) by copland.udel.edu (8.9.3/8.9.3) with ESMTP id NAA06271 for <sbunting@udel.edu>; Thu, 15 Mar 2001 13:10:40 -0500 (EST) Received: from deljismail1.state.de.us (imail.deljis.state.de.us [172.20.66.11]) by otma1.otm.state.de.us (8.11.0/8.11.0) with ESMTP id f2FIA7t28739 for <sbunting@udel.edu>; Thu, 15 Mar 2001 13:10:07 -0500 (EST) Received: from newarkpd.state.de.us [172.20.132.102] by deljismail1.state.de.us with ESMTP (SMTPD32-5.05) id A8B32701AE; Thu, 15 Mar 2001 13:23:47 -0500 Received: by NEWARKPD with Internet Mail Service (5.5.1960.3) id <FY66DSJT>; Thu, 15 Mar 2001 13:08:29 -0500 Message-ID: <777ED2AC6510D311BBB50000D11CB450167AAD@NEWARKPD> From: William Hargrove <wHargrove@newarkpd.state.de.us> To: "Steve Bunting (E-mail)" <sbunting@UDel.Edu> Subject: good morning Date: Thu, 15 Mar 2001 13:08:28 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-Type: text/plain X-Mozilla-Status: 8003 X-Mozilla-Status2: 00000000
“WHO IS” How to Look Up Information to Start the Process
• Utilize free websites to identify the ISP for the target IP Address
• This gives you the company or ISP where you will submit your requests
– Subpoena or Informal
LACNIC.org
GOING ONLINE FOR EXAMPLES
• LACNIC 72.37.160.24• ARIN 205.149.192.0 • Samspade.org• www.yahoo.com
$$ MONEY $$
• An IP Address equals Internet access; Internet access means SOMEBODY, SOMEWHERE IS PAYING FOR THE INTERNET ACCESS
• Subpoena the ISP for all customer and billing information, including ANI or physical location of the modem, for the target IP Address.
• You must include the date stamp for your target IP address in your subpoena.
$$ MORE MONEY $$
• Some ISPs record the MAC address (identification number of the modem card for the computer) during an Internet session
• This is good forensic evidence; give this information to your forensic examiner
• ISP may also provide telecommunications service for the customer
PHYSICAL LOCATION
IDENTIFY THE PHYSICAL LOCATION OF THE ANI OR DSL / MODEM LOCATION
TRACKING WITHOUT AN IP ADDRESS
TRACKING BY USERNAME OR EMAIL ADDRESS
TRACKING EMAIL ADDRESS OR USERNAME
• Determine which IS has issued the email account or username
• Subpoena all customer information, but focus on IP log for registration, IP log for password change, and IP log for access to the account
• An alternate email address can also be used to track individual
YAHOO ACCOUNT MANAGEMENT TOOL
IP LOG
*IMPORTANT FACTS*
• Law Enforcement is better off having a suspect use Internet communication than a phone number, because pre-paid phones and other phone services have made conducting criminal activity almost untraceable.
• In most investigations, and especially in fugitive cases, the biggest problem is locating the suspect. An email address or Internet communication can be tracked to a PHYSICAL LOCATION.
IMPORTANT FACTS, continued
• When a criminal act has occurred using an email address, ANY COMPUTER accessing that email might contain potential evidence. These computers are subject to seizure and forensic examination.
Sheila.Gorriz@usss.dhs.gov